US Executive Order 14028: what it means for Open Source users

13 September, 2021

US Executive Order 14028, issued in May 2021, represents a huge step forwards. It aims to improve national cybersecurity and take action to increase transparency in software supply chains within the public sector. The challenge: it requires information that many companies have never collected.

Key points

  • The US Government published Executive Order 14028 on 12 May 2021, introducing many new regulations for companies supplying products or services containing software to US Government agencies.
  • Among these regulations is the obligation to include a “Software Bill of Materials” (SBOM) with every product. The US National Telecommunications and Information Administration (NTIA) has published a set of minimum requirements for an SBOM.
  • Together with the recently published ISO 5230 and ISO 5962 standards for Open Source Software Compliance and Open Source Software Bills of Materials, these new regulations are an opportunity for companies offering products or services that include software: as well as meeting the requirements of the new Executive Order, the changes involved also offer the chance to establish internal software development practices in line with international standards for use of Open Source Software.

Your expert for questions

Julian Schauder
Manager, Open Source Software Services at PwC Germany
Tel: +49 211 981-4786
E-Mail

Why will the issue affect almost everyone?

The Linux Foundation’s established OpenChain industry standard on Open Source Software Compliance has become a vital standard, used all over the world. Because of this, it was upgraded to an official ISO standard – ISO 5230 – at the end of 2020. A Software Bill of Materials is also an essential element within this standard, and so the ISO adopted and standardised a widely used SBOM format in ISO 5962 in 2021.

Shortly afterwards, US Executive Order 14028 was introduced, requiring SBOMs to be provided to US Government agencies. In the past, many organisations have been reluctant to require SBOMs from their suppliers due to the complexity and adjustments involved in doing so. Executive Order 14028, on the other hand, is now spearheading the idea that SBOMs can be required by default – despite the fact that many organisations need to carry out a lot of work to achieve sufficient SBOM maturity and quality.

The review and delivery of SBOMs has been standard practice in certain industries for quite some time. Even before these new regulations were introduced, we at PwC had long recommended Bill of Materials Compliance Reviews for licences and component security when procuring products and services that include software. With increasing digitalisation, complexity, and use of Open Source Software, we expect to see other governments and industries adopting these requirements.

“SMEs in particular are often overwhelmed by the compliance requirements of a Software Bill of Materials, as they have no access to dedicated or trained personnel.”

Julian Schauder, Manager, Open Source Software Services

Why is this such a high-profile issue?

It’s no coincidence that software supply chain security and vulnerabilities have recently become a hot topic: cyberattacks on software supply chains have increased considerably in recent years, and the issue has been getting a lot of attention in the media. 

Recent examples have dramatically shown that even the smallest malicious element or exploit in a software component at any point in the supply chain can trigger security failures on a global scale. Events such as this could undermine overall trust in software and create concerns among downstream users. 

What are SBOMs and what are their benefits?

An SBOM provides information giving detailed insights into the software supply chain, such as components used, licences, and information on authors. This provides transparency and makes it possible to identify potential vulnerabilities and legal risks.

Users of the software can utilise the SBOM as an efficient way of gaining insights into the software supply chain, in turn allowing users to find out about potential risks involved with using the software. The world of Open Source Software is highly dynamic. Therefore, it is essential to regularly re-evaluate any software in use because new security vulnerabilities and exploits may be discovered at any time. If an SBOM is available, most of this review process can be automated, enabling new risks to be identified and dealt with more quickly. This is one of the reasons why the NTIA has issued a set of minimum requirements for SBOM content.  

Under these minimum requirements, the SBOM for each component must include information such as the name of the supplier, the name and version number of the component used, and its relationship to other components. The NTIA also recommends that SBOMs should be updated for each new release, a requirement which could easily lead to failure of non-automated solutions due to bottlenecks and lack of capacity.

The NTIA also emphasises that these requirements may be subject to change in the future as circumstances change. It is therefore recommended that licensing information and detailed depictions of the relationships to other software components should be included in long-term projects or for particularly security-sensitive contact points, even if this is not strictly necessary at present.

Currently, neither commercial products nor open-source software solutions routinely offer SBOMs that meet the NTIA’s minimum requirements. In most cases, explicit requests have to be made to obtain an SBOM.

In addition, Open Source products sometimes require work to be done by external service providers to meet compliance requirements, as Open Source communities do not always undertake work of this nature. Without an established process, SBOM compliance can quickly become a problem, as ad-hoc solutions are either very expensive or completely non-existent.

How our experts can help

To future-proof your company, you need to take action now to ensure that you comply with current software supply chain regulations. An SBOM that meets all minimum requirements provides a solid foundation for compliance, vulnerability analysis and for dealing with legal issues regarding licences, increasing overall security of your systems.

If you need support with administering your SBOMs, PwC managed services are available to help you meet requirements without having to build up all the processes and resources for this internally. 

Our Open Source Software Services experts can help you ensure compliance and agility, and support you in realising the benefits of Open Source. Certification by PwC enables you to finalise your Open Source Software Compliance programme, demonstrating to your customers that you comply with ISO 5230.

“Complete and correct Software Bills of Materials are a vital part of trusted software supply chains to enable compliance, security and transparency while reducing the work involved for everyone in the ecosystem.”

Marcel Scholze,Director, Open Source Software Services & IT Sourcing
Follow us

Contact us

Marcel Scholze

Marcel Scholze

Director Open Source Software Services & IT Sourcing, PwC Germany

Tel: +49 69 9585-1746

Julian Schauder

Julian Schauder

Manager, PwC Germany

Tel: +49 211 981-4786

Hide